Security expert: iPhone password hack shows flawed security model

A recently revealed attack can open up the contents of an iPhone password …

News of a successful attack that almost instantly gives full access to an iPhone's password keychain made its way around the Web on Thursday after Germany's Fraunhofer Institute for Secure Information Technology revealed the exploit to IDG News Service. While the fact that hackers could access a device's keychain in such a short time certainly sounds alarming, the attack isn't entirely new, and is actually a product of Apple's "DRM approach" to security, one iOS security expert told Ars.

Fraunhofer SIT's exploit first relies on physical access to an iPhone, so an attacker has to get your iPhone away from you before digging in. In most cases like this, you would likely want to use Apple's (now free) remote wipe feature in order to protect your data, but remote wipe is easily thwarted by removing the device's SIM card. Any attacker sophisticated enough to decrypt the keychain will know this trick.

Once an attacker has your phone, he could use any of the commonly available jailbreaks to install an SSH server, install a keychain hacking script, and collect the decrypted password information.

Part of what makes the attack relatively trivial is that the cryptographic key used for the keychain is stored on the iPhone. Once a device is jailbroken, hackers can use iOS's built-in APIs to access and decrypt certain passwords—including those for network access and e-mail accounts—stored in the keychain. From there, passwords from VPN access or e-mail accounts can be further used to gain more passwords, or e-mail accounts can be used to request password resets for a number of online services.

But while Fraunhofer SIT's particular methods may be new, accessing the keychain and other encrypted information on a jailbroken iPhone has been possible for some time. iPhone forensics expert Jonathan Zdziarski told Ars that similar exploits have been around since about the time of the introduction of the iPhone 3G.

"Several dev teams have been able to easily deduce Apple's encryption keys for the keychain; it just hasn't been widely advertised," Zdziarski said. The "new" part of Fraunhofer SIT's attack, however, leverages Apple's APIs to access the keychain instead of other methods.

The real problem, according to Zdziarski, is that Apple hasn't yet fully implemented a truly secure environment for iOS. "Apple has—since introducing encryption—been relying on their DRM know-how, and just erasing the label that says 'DRM' and calling it 'security,'" he explained. "The problem with this is that DRM only makes things a little more difficult for hackers."

"Real security relies on the strength of the key, and the secrecy of the key," Zdziarski continued. "And as long as the keys are all stored on the iPhone and don't rely on a user password, they can easily be compromised."

Zdziarski said that he believes Apple is pushing to make the iPhone compliant with security standards set forth in Federal Information Processing Standard 140-2 (FIPS 140-2). When that happens, government and enterprise users can be less wary about iPhone security issues. "But at the end of the day," he said, "Apple will need to abandon their DRM approach if they want true security, as opposed to just some fancy marketing strategies."

iPhone users don't care about not having security in their devices - they believe that products made by apple are immune to viruses, trojans, hacks, etc. Apple's security infrastructure has been below industry standards for years because they have never felt the pressure that serious corporate machines (Windows machines) need to protect business information - their emphasis has been on making pretty products with effective marketing pushes and that has been about all. When hackers get the info from all the iphones and ipads in the market today it will be a little bit too late.

In most cases like this, you would likely want to use Apple's (now free) remote wipe feature in order to protect your data, but remote wipe is easily thwarted by removing the device's SIM card. Any attacker sophisticated enough to decrypt the keychain will know this trick.

iPhone users don't care about not having security in their devices - they believe that products made by apple are immune to viruses, trojans, hacks, etc. Apple's security infrastructure has been below industry standards for years because they have never felt the pressure that serious corporate machines (Windows machines) need to protect business information - their emphasis has been on making pretty products with effective marketing pushes and that has been about all. When hackers get the info from all the iphones and ipads in the market today it will be a little bit too late.

The security through obscurity argument is a failure for sure but it's not fair to say all iPhone users are aloof and arrogant when it comes to security.

In most cases like this, you would likely want to use Apple's (now free) remote wipe feature in order to protect your data, but remote wipe is easily thwarted by removing the device's SIM card. Any attacker sophisticated enough to decrypt the keychain will know this trick.

So would the Verizon iPhone be more secure in this sense?

Actually, yes. You would have to call Verizon to deactivate it from the network, and a potential attacker would have to know your account information and/or SSN to have it done without you. Perhaps this is another potential benefit of Apple's rumored embedded SIM module?

So if someone has your house key, they can gain physical access to your house. So this is a fatal flaw in the home protection system. And if someone has your car key, they can gain physical access to your car.

In most cases like this, you would likely want to use Apple's (now free) remote wipe feature in order to protect your data, but remote wipe is easily thwarted by removing the device's SIM card. Any attacker sophisticated enough to decrypt the keychain will know this trick.

So would the Verizon iPhone be more secure in this sense?

Actually, yes. You would have to call Verizon to deactivate it from the network, and a potential attacker would have to know your account information and/or SSN to have it done without you. Perhaps this is another potential benefit of Apple's rumored embedded SIM module?

This idea is completely false. All you need to do is remove the device from the network. You pull the battery and only turn the device back on when you are in a basement, some other area without coverage, or you wrap the phone in tin foil. There are plenty of ways to get a phone off the network, and easily. If they went to the trouble of physically stealing your device, and know how the keychain works, it's a trivial matter to get a CDMA phone off the network.

So if someone has your house key, they can gain physical access to your house. So this is a fatal flaw in the home protection system. And if someone has your car key, they can gain physical access to your car.

Why is this story still being considered news worthy?

First thing you are talking hardware (house car) versus software (iPhone's data) and last time I checked my house or car were not not encrypted -- the iPhone's data is. Being able to get around the encryption is the story here.

So if someone has your house key, they can gain physical access to your house. So this is a fatal flaw in the home protection system. And if someone has your car key, they can gain physical access to your car.

Why is this story still being considered news worthy?

If someone has your laptop, with all your company secrets on it, they still can't use it for anything if the disk is encrypted. Enterprises with secrets to keep, like customer SSNs or credit card numbers, can't trust that information to be on a device that is compromised as soon as the attacker has physical access to it. Suggesting that it is impossible to protect something that an attacker has physcial access to is absurd. Blackberries have been capable of protecting user data, even when the phone is lost, for almost a decade.

Unfortunately, this is just a core problem with these devices that you can't fix.

It turns out, users want their phone to continue to do things while it's locked, like check for voicemail, email, calendar updates, and so forth. In order to do that, the phone needs to have access to some kind of credentials even if you haven't entered your password in a while. If your phone can do it on its own, someone who has root access to the phone can do it.

Now, I expect Apple could do a much better job at protecting those credentials in some cases (for instance, if you have your mail set to be checked manually, it should be able to encrypt those credentials while your phone is locked), but there's no getting around the fundamental problem that anything that your phone can do, a person with access to your phone can do, and people want their phone to do things while locked.

If an attacker has physical access to your device you can consider it hacked, it's only a matter of time. So where's the story? This is hardly any different from an attacker who has physical access to a Mac OS X computer or a Windows PC. I for one don't consider any device "less secure" because it can be hacked after it's been stolen. Well, duh, of course it can.

FWIW, 1Password can be used to protect your passwords more securely on the iPhone (and sync them with your other devices). See http://bit.ly/gYllOe

That post by 1Password makes a good point that wasn't entirely clear from the IDG report—namely that some passwords aren't directly accessible via this exploit unless the passcode is known. I've clarified that in the text.

Security is always a tradeoff between security and convenience. In my opinion, Apple's security has the right balance. And because it's easy to use, it actually gets used.What I particular object to is the smugness that seems to always accompany comments about "real security". Obscurity is always an element in security, and "real" security is a myth, though there are objective levels of security. Not storing a key on the phone is in fact a kind of obscurity.I love the guy who talks about Windows as exemplary security. Windows??? I think possession is a good model for phone security. If you lose the keys to your car, you lose the car. Don't lose your phone or your car keys. But even if you lose the keys to the car, people can still steal your car. And if you lock your house, thieves can break in windows.

iOS, the new Windows... Seriously, iOS and Android are going to be huge targets based on number of units sold. Macs were always secure only because they were few in number. Microsoft got spanked on security, but now takes it seriously, it's time for Apple to own up and do the same.

t turns out, users want their phone to continue to do things while it's locked, like check for voicemail, email, calendar updates, and so forth. In order to do that, the phone needs to have access to some kind of credentials even if you haven't entered your password in a while. If your phone can do it on its own, someone who has root access to the phone can do it.

There are a lot of ways to keep a device/connection authenticated without having a password or key stored where people can get at it. Permanent encryption without requiring a password to access the key is utterly worthless.

And this is different from other manufacturers? Please give added information.

Largely irrelevant; there's been no claim otherwise. Apple's the one trying to lay claim to security, and failing. Google, for instance, wants a secure platform but doesn't advertise Android as most secure.

Which isn't to say I wouldn't like improvement on that score; hardware encryption for example, so that the passcode is something other than the electronic equivalent of a Masterlock.

In most cases like this, you would likely want to use Apple's (now free) remote wipe feature in order to protect your data, but remote wipe is easily thwarted by removing the device's SIM card. Any attacker sophisticated enough to decrypt the keychain will know this trick.

So would the Verizon iPhone be more secure in this sense?

Actually, yes. You would have to call Verizon to deactivate it from the network, and a potential attacker would have to know your account information and/or SSN to have it done without you. Perhaps this is another potential benefit of Apple's rumored embedded SIM module?

This idea is completely false. All you need to do is remove the device from the network. You pull the battery and only turn the device back on when you are in a basement, some other area without coverage, or you wrap the phone in tin foil. There are plenty of ways to get a phone off the network, and easily. If they went to the trouble of physically stealing your device, and know how the keychain works, it's a trivial matter to get a CDMA phone off the network.

You make a good point—there are other ways to remove it from the network. Removing the iPhone's battery, however, is not a trivial matter. You could turn off the device and then go to a known area where there is no signal, but that's not as trivial as just removing the SIM of a GSM device, which can be done in a matter of seconds. That would give the original owner potentially enough time to initiate a remote wipe. Carrying a portable Faraday cage might be another possible solution (I'm not sure wrapping in tin foil would work the same, though it could), but it sounds like the sort of thing that a much more sophisticated attacker would bother with—in which case, I'd be far more worried about what could happen to me than someone reading my MobileMe e-mail.

Most other devices, including Blackberry, have similar designs and therefore similar flaws.

Blackberry isn't better unless it is tightly administered, which most Blackberry devices are not.

At least it is possible, for those users who need it.

Quote:

Accept it and move on.

Agreed. But people who say, "how is this news?" are missing the point; smartphone consumers should be able to find out how secure these devices are or aren't, so they can make their own informed decisions. On the other hand, the smug trolls are just trolls, and the real news would be an article discussing any smartphone platform where they didn't all come out from under their respective bridges and start hooting.

And this is different from other manufacturers? Please give added information.

Largely irrelevant; there's been no claim otherwise. Apple's the one trying to lay claim to security, and failing. Google, for instance, wants a secure platform but doesn't advertise Android as most secure.

Which isn't to say I wouldn't like improvement on that score; hardware encryption for example, so that the passcode is something other than the electronic equivalent of a Masterlock.

Apple makes excessive marketing claims of security, therefore people who want to be informed smartphone consumers shouldn't inquire as to comparitively how secure other platforms may be?

In most cases like this, you would likely want to use Apple's (now free) remote wipe feature in order to protect your data, but remote wipe is easily thwarted by removing the device's SIM card. Any attacker sophisticated enough to decrypt the keychain will know this trick.

So would the Verizon iPhone be more secure in this sense?

Actually, yes. You would have to call Verizon to deactivate it from the network, and a potential attacker would have to know your account information and/or SSN to have it done without you. Perhaps this is another potential benefit of Apple's rumored embedded SIM module?

This idea is completely false. All you need to do is remove the device from the network. You pull the battery and only turn the device back on when you are in a basement, some other area without coverage, or you wrap the phone in tin foil. There are plenty of ways to get a phone off the network, and easily. If they went to the trouble of physically stealing your device, and know how the keychain works, it's a trivial matter to get a CDMA phone off the network.

You make a good point—there are other ways to remove it from the network. Removing the iPhone's battery, however, is not a trivial matter. You could turn off the device and then go to a known area where there is no signal, but that's not as trivial as just removing the SIM of a GSM device, which can be done in a matter of seconds. That would give the original owner potentially enough time to initiate a remote wipe. Carrying a portable Faraday cage might be another possible solution (I'm not sure wrapping in tin foil would work the same, though it could), but it sounds like the sort of thing that a much more sophisticated attacker would bother with—in which case, I'd be far more worried about what could happen to me than someone reading my MobileMe e-mail.

Why not just place the phone in Airplane mode (and maybe shut down Wi-Fi)?

iPhone users don't care about not having security in their devices - they believe that products made by apple are immune to viruses, trojans, hacks, etc. Apple's security infrastructure has been below industry standards for years because they have never felt the pressure that serious corporate machines (Windows machines) need to protect business information - their emphasis has been on making pretty products with effective marketing pushes and that has been about all. When hackers get the info from all the iphones and ipads in the market today it will be a little bit too late.

Nice troll, as long as you feel good about the security of your "serious corporate machines" - did you say Windows? - all is good. What a laugh. Industry runs on Unix, dear mr. Mouse Click System Engineer (MSCE)

Most other devices, including Blackberry, have similar designs and therefore similar flaws.

Blackberry isn't better unless it is tightly administered, which most Blackberry devices are not.

It will always be true that when the key is stored in the same place as the lock, security can be compromised. Regardless of device or manufacturer.

Unless people want to be tied to a data network and central key server or local second-factor authentication (as by a key fob), no single device will ever be secure.

Accept it and move on.

Sorry but I don't agree with your statements. This is not about some hackers trying to steal the pictures off your stolen phone, the most likely scenarios where someone would attempt this would be the exact kind of users that would normally be on those tightly administered BB networks you speak of.

The real problem here is this pretty much proves that iOS devices have zero applicability in the enterprise space and should not be used until Apple changes their policies.

I know one thing is for sure, they don't allow them at my place of work, with security reasons being the primary factor.

You make a good point—there are other ways to remove it from the network. Removing the iPhone's battery, however, is not a trivial matter. You could turn off the device and then go to a known area where there is no signal, but that's not as trivial as just removing the SIM of a GSM device, which can be done in a matter of seconds. That would give the original owner potentially enough time to initiate a remote wipe. Carrying a portable Faraday cage might be another possible solution (I'm not sure wrapping in tin foil would work the same, though it could), but it sounds like the sort of thing that a much more sophisticated attacker would bother with—in which case, I'd be far more worried about what could happen to me than someone reading my MobileMe e-mail.

Why not just place the phone in Airplane mode (and maybe shut down Wi-Fi)?

Airplane mode shuts off all radios in the device, cellular and Wi-Fi. Then you can turn Wi-Fi back on (which doesn't turn the cellular radio on) and connect it to a non-internet connected wireless network to do the jailbreaking, etc.

Unfortunately, this is just a core problem with these devices that you can't fix.

It turns out, users want their phone to continue to do things while it's locked, like check for voicemail, email, calendar updates, and so forth. In order to do that, the phone needs to have access to some kind of credentials even if you haven't entered your password in a while. If your phone can do it on its own, someone who has root access to the phone can do it.

Ever notice how on a computer with an encrypted HDD you have to enter the password as soon as it turns on? The iphone model is that they'll save the password for you.

Its not impossible to fix by a long shot. The Apple model seems to be "Just use these APIs to get access to the passwords" That would be a very weak design. When the phone is turned on the user could be forced to enter their credentials which could then be used to decrypted the other stored credentials on the phone and saved in memory till the phone is turned off. Sure that password will be in memory and you can remove the ram chips and gain access to the password that way but that is much harder to do.

Nice troll, as long as you feel good about the security of your "serious corporate machines" - did you say Windows? - all is good. What a laugh. Industry runs on Unix, dear mr. Mouse Click System Engineer (MSCE)

Ha. Hahaha. I got a good laugh from this one. The list of corporations that use Linux is less than a page. the list of corporations that use Windows... Well, I don't think it's worth it to make that list, much easier to make a list of corporations that DON'T use Windows.